[members-discuss] is the RIPE NCC GDPR compliant ?

Dear Elvis,

Thanks for your email. We haven't forgotten the issues that were raised 
at RIPE 77 and are working on them (some since before that meeting).

In short, these are not trivial issues. They will take some time to 
resolve technically and some will depend on community input. But to 
address your points directly:

1. Ticketing
Email is not the only way to open a ticket with the RIPE NCC. You can 
also use the RIPE NCC Contact Form or one of the request forms in the 
LIR Portal. This allows for the secure and confidential upload of 
documentation and avoids the issue you mention regarding links to 
documents appearing in email responses from the RIPE NCC. When people 
email us, we actively direct them to upload documents via the LIR 
Portal.

We are working to address this, although there are limitations to what 
is possible with our ticketing system. A simple option would indeed be 
to no longer accept attachments via email, although we would need to 
balance this against the ability of people to interact effectively with 
the RIPE NCC.

In the meantime, as we investigate different options, our staff are 
removing attachments from the ticketing system manually in order to 
mitigate these issues.

2. RIPE Database object creation
We create PERSON objects for new LIRs to make things easier for them. 
Before they get started with the membership application form, we tell 
them how we intend to use the information they provide. We also make it 
clear that they should make sure they have permission to submit the 
personal data of third parties.

Since before GDPR became an issue, our systems have created 
person-maintainer object pairs - we are looking at the implications of 
changing this to require role-maintainer pairs. Most of our work 
regarding the database over the past several months has focused on 
implementation of NWI-5 (out-of-region objects) and abuse-c validation, 
which was requested by the community. In 2019, we hope to be able to 
dedicate more resources to furthering work on the areas you identify. 
However, we also have to consider the wishes of the community.

Our legal analysis of the RIPE Database and GDPR was based on input from 
RIPE community members. It essentially said that personal data is 
entered into the database for a specific purpose – to support 
coordination between network operators, which can be vital in the event 
of an outage or security incident.

At RIPE 77, the question was raised in the Database Working Group 
whether PERSON objects are really required. If this is the case, then it 
affects our legal analysis. However, we can't decide this ourselves - we 
will need the community to make this determination. As we understand it, 
the community will be looking at this issue closer in 2019 - and we will 
be watching and supporting this process.

Regarding your final point, our systems were never intended to cater to 
multiple LIRs and so the duplication you mention is a natural 
consequence of this. When thinking about changes to fix the issue, we 
need to consider the wisdom of spending resources to cater to this 
sub-set of members instead of improvements that would benefit the wider 
community and membership.

Kind regards,

Felipe Victolla Silveira
Chief Operations Officer
RIPE NCC